Assurance requirements
Prior to CSRD, external assurance was voluntary, but this will change. While some large companies provided reports based on the limited assurance requirements from ISAE3000 – a standard framework for non-financial reporting – most haven’t had to or chosen to provide assurance. Under the ISAE3000, there are two levels of assurance: limited and reasonable. Reasonable provides more assurance than limited, with the latter providing a “moderate” level, meaning there’s a limited amount of testing and a heavy reliance on inquiry and review.
CSRD reports must be assured by an external party. Initially, limited assurance will be sufficient, but reasonable assurance will likely be required further down the road. A new sustainability assurance standard is currently under consultation, and the EU may develop its own standard, so the exact requirements are still not clear.
Internal audit as an enabler
There isn’t a cookie-cutter solution on what role internal audit can (or will) play in your organization’s CSRD implementation. It’s important to be flexible and look for opportunities to add value. Internal auditors are working in an environment with a lot of…